New York Blood Center agrees to settle lawsuit tied to 2025 cyberattack

A data breach earlier this year exposed employee and donor information at two major blood collection organizations.

What happened

New York Blood Center and Memorial Blood Centers have agreed to a 500,000 dollar settlement to resolve class action litigation stemming from a January 2025 cyberattack. According to Claim Depot, attackers gained unauthorized access to systems containing personal and health-related information tied to both employees and blood donors. The incident affected more than 130,000 individuals, including current and former employees, as well as living donors. Exposed data included names, dates of birth, blood type information, limited test results, government identification numbers, and certain financial details used for payroll processing.

Going deeper

Following the incident, multiple lawsuits were filed and later consolidated in a Minnesota state court. Plaintiffs alleged that the organizations failed to apply reasonable safeguards to protect sensitive information entrusted to them. The defendants denied liability but agreed to resolve the claims to avoid prolonged litigation. While the breach did not involve patient treatment records, the exposure of donor blood data and employee identification information triggered regulatory review and notification obligations. Blood centers manage large volumes of personal data tied to lifesaving services, which makes even limited system intrusions operationally disruptive and legally complicated.

What was said

The organizations stated that they cooperated with investigators and took steps to strengthen internal security controls after identifying the intrusion. Court filings show that the settlement does not include an admission of wrongdoing. Plaintiffs argued that the breach placed affected individuals at risk of identity misuse, while the defendants maintained that the resolution was a pragmatic decision based on litigation costs rather than fault. Final approval of the settlement is expected after the court completes its review process.

The big picture

The settlement also fits into a pattern of sustained data exposure across the healthcare sector. Data compiled by the Privacy Rights Clearinghouse shows that healthcare breaches affected roughly 249 million individuals between 2005 and 2019, with more than 157 million records exposed in just the final five years of that period. More recent figures indicate the pace has not slowed, with an estimated 170 million healthcare records exposed in 2024 alone. The New York Blood Center incident shows how even organizations outside traditional hospital settings contribute to large-scale exposure as sensitive health and identity data remains widely distributed across the healthcare system.

FAQs

Why are blood centers subject to healthcare data breach rules?

They handle health-related and identifiable information connected to donors and employees, which brings them under federal and state privacy requirements.

Does this type of breach affect patient care?

Typically, no, but operational disruption and loss of trust can indirectly affect donation programs and service continuity.

Why are donor records considered sensitive?

They can reveal health indicators, test results, and identifying details that individuals expect to remain private.

Are settlements common after healthcare-related data breaches?

Yes. Organizations often resolve claims to limit legal costs and uncertainty, even when they dispute liability.

What can similar organizations do to reduce risk?

They can limit data retention, apply stronger access controls, monitor network activity, and review third-party security practices.